How do I overcome the 50 IP limit per security group in AWS?

Key Concepts

2 minute read

The problem:

The number of inbound or outbound rules per security groups in amazon is 50. Reference.

From the inbound perspective this is not a big issue because if your instances are serving customers on the internet then your security group will be wide open, on the other hand if your want to allow only access from a few internal IPs then the 50 IP limit is sufficient.

However, outbound or egress traffic is a different discussion. Let's say you have a production instance that needs updates from updates.ubuntu.com (15 IPs) and a few other repos like github (12 IPs), and perhaps a third party partner. You can quickly realize that 50 IPs are not enough.

The solution:

Aviatrix solution to this problem is the FQDN Filter Security Feature that allows you to specify filters using Fully Qualified Domain Name of the destinations that your instances are be allowed to reach. This simplifies the management as you only have to introduce things like update.ubuntu.com or github.com to allow access to such services, and not have to deal with third party domain name resolution nor any updates to those domain IPs.

An Aviatrix NAT gateway, deployed on yout public VPC, is required to support the traffic outbound to the internet. For more information on how to implement check this article on Aviatrix's documentation page.